With just weeks left before a key cybersecurity law expires, lawmakers are facing mounting pressure to act or risk unraveling a core part of the nation’s digital defense strategy. The Congress passed Cybersecurity Information Sharing Act of 2015 (CISA 2015) was originally passed to facilitate threat intelligence sharing between private companies and the federal government, and is set to sunset at the end of September.
Security experts warn that without reauthorization, companies may hesitate to report cyber threats due to liability concerns, potentially leaving critical sectors blind to fast-moving attacks. The legislative stalemate now threatens to erode hard-won progress in public-private cyber cooperation.
“While companies could negotiate data-sharing agreements with threat information-sharing bodies, and while the Department of Justice issued guidance that companies would not be prosecuted for cyber intelligence sharing, this situation left too much to prosecutorial discretion for comfort,” Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), and Stefan Videnovic, an intern at the CCTI, wrote in a Wednesday policy brief.
“To remedy this problem, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015),” according to the brief. “The law disarms liability concerns over data sharing by creating explicit protections for companies sharing ‘cyber threat indicators’ and ‘defensive measures’ with other companies and the federal government.”
They added that the law provides ‘legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators and taking steps to mitigate cyberattacks.’
Lawmakers have debated using the reauthorization to expand the definition of cyber threat indicators or clarify and expand the liability protections.
Sen. Rand Paul, a Kentucky Republican who serves as chair of the Senate Homeland Security and Government Affairs Committee, wants the reauthorization to ban the Cybersecurity and Infrastructure Security Agency from combating disinformation, an unrelated but pet issue for the chairman. Back in April, senators Mike Rounds, a Republican from South Dakota, and Gary Peters, a Democrat from Michigan, also introduced legislation to extend CISA 2015 as written.
Given the ticking legislative clock, Fixler and Videnovic highlighted that an increasing number of private sector groups have called for a straight reauthorization of the law, without changes that may require lengthy debates. “A health care organization asserted back in March that the information sharing enabled by CISA 2015 ‘provides enormous benefits’ and is critical for ‘keeping networks and infrastructure safe. An open letter signed by major banking, energy, and technology associations commented that the law has been ‘instrumental in strengthening our collective defense’ and ‘meaningfully improved the capacity and speed with which we can respond to large-scale cyber incidents.’
They added that a coalition of security companies, researchers, and technology policy experts warned on July 7 that allowing the law to ‘lapse would jeopardize over a decade of progress in enhancing our collective cybersecurity posture.’
Likewise, technology leaders warned that without the law ‘there’s going to be some companies that won’t voluntarily’ share information. Allowing the law to expire would amount to ‘legislative malpractice,’ Larry Clinton, president of the Internet Security Alliance, noted.
Fixler and Videnovic pointed out that consensus in Congress seems to be coalescing around a straight reauthorization. “That option provides the greatest likelihood of averting the crisis that would accompany the expiration of the law. While there are nearly 90 days left on the calendar before CISA 2015 expires, there are only 35 working days for Congress between now and the end of September. Lawmakers should act with haste.”
This week, the FDD identified that revoking existing equipment authorizations is a national security imperative, which is essential to closing supply chain gaps in the Federal Communications Commission (FCC) Equipment Authorization Program. The move requires telecommunications and electronic devices legally marketed in or imported to the U.S. to receive certification. These authorizations allow indefinite importation, sale, and use of devices until explicitly revoked.
